b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                Increased Manageria/ Attention /s Needed to\n                Ensure Taxpayer Accounts Are Monitored to\n                  Detect Unauthorized Emp/oyee Accesses\n\n\n\n                                           July 24,2006\n\n                              Reference Number: 2006-20-111\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n Redaction Legend:\n 3d = Identifyrng Information - Other Identifying Information of an Individual or Individuals\n\n\n Phone Number / 202-927-7037\n Email Address / Bonnie.Hea/d@igta. treas.gov\n Web Site      / http:Jwww. tigta-gov\n\x0c                                                   DEPARTMENT OF THE TREASURY\n                                                         WASHINGTON, D.C. 20220\n\n\n\n\n    TREASURY INSPECTOR GENERAL.\n      FOR TAX ADMIYISTRATIOX\n\n\n\n\n1                                                    July 24,2006\n\n\nI    MEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT\n                    DEPUTY COMMISSIONER FOR SERVICES AND\n\n~    FROM:\n                    ENFORCEMENT\n                                  -v?M\n                                  Michael R. Phillips\n                                                     n.-3+\n                                  Deputy Inspector General for Audit\nI    SUBJECT:                     Final Audit Report - Increased Managerial Attention Is Needed to\n                                  Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized\n                                  Employee Accesses ( ~ u d i#t 200520034)\n\n     This report represents the results of our review to determine whether Internal Revenue Service\n     (IRS) management and security staffs were adequately reviewing online Integrated Data\n     Retrieval System (IDRS) reports to detect unauthorized accesses to taxpayer accounts.\n\n     synopsis\n     The IDRS is a mission critical system containing sensitive information such as taxpayers\' names,\n     Social Security Numbers, birth dates, addresses, filing statuses, exemptions, and income. This\n     System is used by IRS employees to research and update taxpayer data. Because of the sensitive\n     nature of its data, the IDRS routinely generates audit trail\' information. The IRS and Treasury\n     Inspector General for Tax Administration use the audit trail information to identify unauthorized\n     accesses to taxpayer accounts, thus ensuring employees who violate the Taxpayer Browsing\n     Protection Act of 1997\' are identified and appropriate employee actions are taken.\n\n\n\n\n     \'An audit trail is a chronological record of system activities that allows for the reconstruction, review, and\n    examination of a transaction from inception to final results.\n      26 U.S.C.A. $5 7213,7213A, 7431 (West Supp. 2003). This Act makes it a criminal offense to access or inspect\n    tax information without proper authorization. This legislation focuses on the IRS ensuring its employees access\n    taxpayer data only for official purposes.\n\x0c                           Increased Managerial Attention Is Needed to Ensure\n                               Taxpayer Accounts Are Monitored to Detect\n                                   Unauthorized Employee Accesses\n\n\n\nIn 2002, the IRS incrementally deployed the IDRS Online Reports Services (IORS) system3to\nreduce the costs of printing and distributing paper reports of IDRS audit trail information to IRS\npersonnel responsible for identifying unauthorized accesses. However, audit trail information\nfi-om the IORS system was not always being reviewed and\ninvestigated to detect unauthorized accesses and\nnoncompliance with security controls.\nAlthough 9 of the 10 campus4data security staffs carried\nout their security-related responsibilities for reviewing\nIDRS Security Reports using the IORS system, a majority\nof business unit managers are not performing their\nresponsibilities to investigate potential unauthorized\naccesses to IDRS accounts and noncompliance with\nsecurity controls. As a result, employees may be browsing their spouses\' or other employees\'\ntax information with little chance of detection. In addition, employees may be knowingly or\nunknowingly violating current security procedures that could enable unauthorized persons to\naccess sensitive taxpayer in\n\n\nUsing the IORS system, IRS business unit managers are responsible for reviewing and certifying\nfour IDRS Security Reports. On average, only 42 percent of IRS business unit managers\ncertified their IDRS Security Reports in September 2005. Individual campus certification rates6\nranged from a high of 75 percent to a low of 15 percent, and only 36 percent of these\ncertifications were performed timely. The Mission Assurance and Security Services (MA&SS)\norganization and IRS business unit management have not sufficiently emphasized the need for\nbusiness unit managers to review the IDRS Security Reports produced by the IORS system. In\naddition, managers were not held accountable for reviewing the IDRS Security Reports on a\nregular basis, and the level of emphasis varied among the data security staffs located at the IRS\ncampuses.\n\n\n3\n  The IORS system is a web-based application that provides business unit managers and data security staffs online\naccess to security reports based on the IDRS audit trail information.\n  Campuses are the data processing arm of the IRS. The campuses process paper and electronic submissions, correct\nerrors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts. IRS Computing\nCenters support tax processing and information management through a data processing and telecommunications\ninfrastructure.\n  The IRS conducts awareness briefings to better focus agency-wide attention on preventing the willhl unauthorized\naccess and inspection of taxpayer records, which it refers to as UNAX.\n6\n  Campus certification rates are based on certification rates of all Area Oftices serviced by a particular campus.\nArea Ofices are located throughout the United States; they serve as the coordination point for and assist the public\nwith tax issues.\n                                                                                                                  2\n\x0c                                Increased Managerial Attention Is Needed to Ensure\nI\n1                                   Taxpayer Accounts Are Monitored to Detect\n                                        Unauthorized Employee Accesses\n          ---\n\n\n\n    Due to the low certification rates nationally, we have little confidence that IRS managers are\n    detecting potential unauthorized accesses of taxpayer information by employees. Additionally,\n    the IRS cannot ensure employees are complying with the security controls established to protect\n    the IDRS.\n    During our visits to the IRS Campuses in Brookhaven, New York, and Austin, Texas, we found\n    the compliance levels were directly affected by the amount of emphasis provided by the local\n    data security staffs. For example, the data security staff at the Brookhaven Campus made the\n    effort to communicate with employees at the Campus and in the Area Offices, provide local\n    IORS system users with training and awareness information, and notify senior business unit\n    managers when subordinate managers did not review IDRS Security Reports timely. As a result,\n    the certification rate was 75 percent. Conversely, the Austin Campus was not providing\n    adequate emphasis over the IORS system program, and its compliance rate was only 15 percent.\n    Systemic problems with the IORS system also contributed to the low levels of compliance.\n    These problems hindered business unit managers from adequately reviewing and timely\n    identifying potential unauthorized accesses to employees\' and their spouses\' accounts and\n    noncompliance with security controls on the IDRS. For example, certain IORS system users\n    were unable to retrieve IDRS Security Reports, and slow response times hindered business unit\n    managers\' reviews of IDRS Security Reports.\n    The IRS paid a contractor $2.4 million over 3 years to develop the IORS system and took\n    incremental delivery of it in 2002, although the IORS system did not completely meet the IRS\'\n    requirements. Additional system enhancements to address deficiencies were to be made in the\n    next version of the IORS system, originally scheduled for deployment in December 2005.\n    However, the MA&SS organization determined the contractor was unable to develop the new\n    version of the IORS system according to the IRS\' needs, and the contract, which expired in\n    September 2005, was not renewed.\n\n    Recommendations\n    We recommended the Chief, MA&SS, (1) emphasize to the IRS business units the need to\n    review electronic IDRS Security Reports using the IORS system and (2) eliminate the\n    requirement to certify the monthly Security Profile Report7to reduce managerial burden.\n    Additionally, we recommended the Deputy Commissioner for Operations Support and the\n    Deputy Commissioner for Services and Enforcement ensure business unit managers\' operational\n    review requirements are updated to include a step to validate the certification of IDRS Security\n    Reports. Business unit managers should then be held accountable for meeting their\n    security-related responsibilities.\n\n    7\n     The Security Profile Report is a monthly and quarterly IDRS security report that identifies employees\' capabilities\n    on the IDRS and occurrences when employees use a command that is not within their user profiles.\n                                                                                                                       3\n\x0c                          Increased Managerial Attention Is Needed to Ensure\ni                             raxpayer Accounts Are Monitored to Detect\n                                   Unauthorized Employee Accesses\n\n\n\n    To complete development of the next version of the IORS system, we recommended the Chief,\n    MA&SS, place priority on hiring a new contractor and prioritize and address the systemic\n    weaknesses within a reasonable time period.\n\n    Response\n    The IRS agreed with three of the four recommendations in our report and disagreed with one. To\n    ensure IDRS Security Reports are reviewed in the future, the IRS will implement a process to\n    monitor and review the compliance rate of IRS business units. Actions will be taken to require\n    all IRS business units to include the results of MA&SS organization quarterly compliance\n    reports in all management operational reviews to identify and enforce consequences for\n    noncompliance. The IRS will address all the systemic weaknesses connected with the IORS\n    system and will obtain contractual support to ensure all weaknesses are corrected. The IRS\n    disagreed with our recommendation that certification of the monthly Security Profile Report be\n    eliminated, due to the length of time between the quarterly and monthly reporting periods.\n    Management\'s complete response to the draft report is included as Appendix IV.\n\n    Office of Audit Comment\n    In our discussion draft report, we initially recommended the IRS eliminate the quarterly Security\n    Profile Report because the IRS already had a requirement to certify the monthly versions of this\n    Report. During the closing conference on the discussion draft report, MA&SS organization\n    representatives requested that we instead recommend eliminating the monthly Security Profile\n    Report, to reduce the burden to IRS managers. We concurred with the request and revised our\n    recommendation accordingly. Management\'s disagreement with this recommendation is\n    contradictory to what was discussed at our closing conference. We continue to believe the IRS\n    should take whatever actions are needed to ensure the security and privacy of taxpayer data on\n    the IDRS.\n    Copies of this report are also being sent to the IRS managers affected by the report\n    recommendations. Please contact me at (202) 622-6510 if you have questions or\n    Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n    (202) 622-85 10.\n\n\n\n\n                                                                                                    4\n\x0c                                     Increased Managerial Attention Is Needed to Ensure\ni\n                                         Taxpayer Accounts Are Monitored to Detect\n                                             Unauthorized Employee Accesses\n\n\n\n\n                                                    Table of Contents\n\n\n    Background ......................................................................................................        Page 1\n\n    Results of Review ................................................... ..................... ..............,.....Page               3\n              Audit Trail Information Is Not Always Being Reviewed and\n              Investigated to Identify Unauthorized Accesses to Taxpayer\n              Accounts ........... ......... ................ ......... .................... .............. ...... ......... ..... Page 3\n                         Recommendations 1 and 2: ............................................ a g e 8\n                         Reconlmendation 3: ................................................... Page 9\n              Systemic Problems Are Hindering Management Reviews for\n              Unauthorized Accesses to Taxpayer Accounts ........................................... Page 9\n                         Reconlmendation 4: .................................. ............P a g e 11\n\n\n    Appendices\n              Appendix I - Detailed Objective, Scope, and Methodology ....................... Page 12\n              Appendix I1 - Major Contributors to This Report ...................................... Page 14\n              Appendix I11 - Report Distribution List ............ ......................................... Page 15\n              Appendix IV - Management\'s Response to the Draft Report ..................... Page 16\n\x0c            Increased Managerial Attention Is Needed to Ensure\nl\n                Taxpayer Accounts Are Monitored to Detect\n                    Unauthorired Employee Accesses\n\n\n\n\n                      Abbreviations\n\n    IDRS          Integrated Data Retrieval System\n    IORS          IDRS Online Reports Services\n    IRS           Internal Revenue Service\n    MA&SS         Mission Assurance and Security Services\n    TIGTA         Treasury Inspector General for Tax Administration\n    UNAX          Unauthorized Access to Taxpayer Information\n\x0c                           Increased ManagerialAttention Is Needed to Ensure\n                               TaxpayerAccounts Are Monitored to Detect\n                                   Unauthorized Employee Accesses\n\n\n\n\n                                            Background\n\nThe Taxpayer Browsing Protection Act of 1997\' made it a criminal offense to access or inspect\ntax information without proper authorization. A person convicted of any such violation shall be\ndismissed and be subject to a fine of up to $1,000, imprisonment of not more than 1 year, or\nboth. This legislation was essentially focused on the Internal Revenue Service (IRS) to ensure its\nemployees access taxpayer data only for official purposes. One of the main systems used by IRS\nemployees to research and update taxpayer data is the Integrated Data Retrieval System (IDRS).\nThe IDRS is a mission critical system that contains sensitive information such as taxpayers\'                  ,\n\n\nnames, Social Security Numbers, birth dates, addresses, filing statuses, exemptions, and income.\nBecause of the sensitive nature of its data, the IDRS routinely generates audit trailZinformation\nthat can be used to detect potential unauthorized accesses to taxpayer accounts. The IRS refers\nto the unauthorized access of taxpayer information as UNAX and provides yearly training to all\nemployees to protect against it. Data security staffs located in the 10 IRS campuses3and\nbusiness unit managers located throughout IRS offices must investigate accesses to employees\'\nand their spouses\' accounts to determine whether the accesses were made for business reasons.\nIn addition, business unit managers should review audit trail information to detect\nnoncompliance with security controls. For example, multiple failed attempts to access an\naccount could indicate an unauthorized person was\nattempting to guess a password to gain access to sensitive\ndata. Business unit managers should also review audit           system is a web-based application\ntrail information to ensure employees have access to only           that provides business unit\nthe computer command codesqhey need to carry out their           managers and data security staffs\nbusiness responsibilities.                                         online access to IDRS Security\n                                                                         Reports based on the IDRS audit\nFor many years, IRS data security staffs and business unit               trail information.\nmanagers received IDRS audit trail information in\ncomputer-generated paper reports. To reduce the costs of\nprinting and distributing these reports and to improve the effectiveness of reporting results of\n\n\n\' 26 U.S.C.A. $6 7213,7213A, 7431 (West Supp. 2003).\n  An audit trail is a chronological record of system activities that allows for the reconstruction, review, and\nexamination of a transaction fiom inception to final results.\n  Campuses are the data processing arm of the IRS. The campuses process paper and electronic submissions, correct\nerrors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts. IRS Computing\nCenters support tax processing and information management through a data processing and telecommunications\ninfrastructure.\n  These are various IDRS entry codes employees can use to research tax account information and update tax\naccounts.\n                                                                                                         Page 1\n\x0c                            Increased Managerial Attention Is Needed to Ensure\n                                TaxpayerAccounts Are Monitored to Detect\n                                    Unauthorized Employee Accesses\n\n\n\nmanagement reviews, the IRS deployed the IDRS Online Reports Services (IORS) system\nin 2003. The IORS system gives business unit managers the ability to retrieve, review, and\ncomment on IDRS Security Reports electronically. The IORS system report content is used to\nidentify authorized IDRS users who are attempting to perform unauthorized accesses,\nunauthorized attempts to access the IDRS, and users who need additional training because of\nrepeated errors that could compromise the security of the System. Business unit managers can\nalso use the IORS system to request archived IDRS Security Reports for data analyses and to\ninitiate and approve IDRS security forms.\nThe Mission Assurance and Support Services (MA&SS) organization is responsible for\noverseeing compliance with the IORS system and has direct responsibility over data security\nstaffs located in the IRS campuses. Business units are responsible for ensuring their managers\ncomply with IORS system procedures by investigating potential security violations and taking\nappropriate corrective actions. The data security staffs in each campus also monitor business\nunit managers in the campuses and the offices supported by those campuses to ensure IDRS\nSecurity Reports produced by the IORS system are properly reviewed. For example, the IRS\nCampus in Brookhaven, New York, is responsible for monitoring the Boston Area Office.\'\nIn addition to IRS monitoring of the IDRS, the Treasury Inspector General for Tax\nAdministration (TJGTA) Office of Investigations Strategic Enforcement Division conducts\ncomprehensive proactive reviews of IDRS audit trail information to identify other unauthorized\naccesses, such as unauthorized accesses of tax information of celebrities, political figures, and\nemployees\' neighbors, former spouses, and relatives. Over the past 2 fiscal years, the TIGTA\ninitiated 990 UNAX cases. All of the reviews of IDRS audit trail information performed by the\nIRS and the TIGTA should provide assurance that employees who violate the Taxpayer\nBrowsing Protection Act of 1997 are identified and appropriate employee actions are taken.\nThis review was performed at the Brookhaven and Austin, Texas, Campuses; the\nBoston, Massachusetts, and Houston, Texas, Area Offices; and the MA&SS organization office\nin New Carrollton, Maryland, during the period June 2005 through February 2006. These\nlocations were selected based on the campuses with the highest and lowest IDRS Security Report\ncertification rates. The audit was conducted in accordance with Government Auditing Standards.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix 11.\n\n\n\n\n Area Offrces are located throughout the United States; they serve as the coordination point for and assist the public\nwith tax issues.\n                                                                                                              Page 2\n\x0c                        Increased Managerial Attention Is Needed to Ensure\n                            Taxpayer Accounts Are Monitored to Detect\n                                Unauthorized Employee Accesses\n-                                                -\n\n                                  Results of Review\n\nAudit Trail Information Is Not Always Being Reviewed and\nInvestigated to Iden,tify Unauthorized Accesses to Taxpayer Accounts\nThe data security staffs in 9 of the 10 campuses carried out their security-related responsibilities\nfor reviewing IDRS Security Reports produced by the IORS system. However, a majority of\nbusiness unit managers are not performing their\nresponsibilities to investigate potential unauthorized\naccesses to IDRS accounts and noncompliance with\nsecurity controls. As a result, employees may be               Security Reports. As a result,\nbrowsing their spouses\' or other employees\' tax                    IRS employees may be\n                                                                browsing their spousesyor\naccounts with little chance of detec                          other employees\' tax accounts\nsite visits, we found l ( d )                                  with little chance of detection.\n\nclear violation of the UNAX program.\n                              - -      In addition,\nemployees may be knowingly or unknowingly violating current security procedures that could\nenable unauthorized persons to access sensitive information.\n\nBusiness unit manaaers are not alwavs reviewina IDRS Securitv R e ~ o r t son the\nIORS system\nIRS business unit managers are responsible for reviewing and certifying the following four IDRS\nSecurity Reports using the IORS system.\n       Sensitive Access Report - Issued weekly: identifies IRS emplo~eeswho have accessed\n       another emplo~ee\'sor an employee\'s spouse\'s tax accounts. The IRS requires business\n       -\n       unit managers to determine whether employees made these accesses for work-related\n       reasons. Business unit managers must take appropriate steps, including research on the\n       IDRS and review of case assignment files, to identify the employees\' reasons for the\n       accesses. If needed, business unit managers may also interview the employees.\n       Security Violations Report - Issued weeltly: identifies unsuccessfil logon attempts and\n       employees who left their computers without logging off. Business unit managers should\n       discuss these violations with their employees to determine whether unauthorized persons\n       were trying to guess their passwords and whether the employees need additional training\n       on using the IDRS.\n       IDRS Security Profile Reports (2 reports) - Issued monthly and quarterlv: identifv\n       employees\' capabilities on the IDRS and attempted accesses to taxpayer accounts using\n                                                                                             Page 3\n\x0c                               Increased Managerial Attention Is Needed to Ensure\nI\n                                   Taxpayer Accounts Are Monitored to Detect\n                                       Unauthorized Employee Accesses\n\n\n\n             unauthorized command codes. Business unit managers should review these Reports to\n             ensure employees only have the access capabilities they need to perform their\n             responsibilities and to determine whether all attempted accesses to taxpayer accounts\n             using unauthorized command codes were unintentional errors.\n    The IRS requires business unit managers to review and certify the weekly IDRS Security Reports\n    within 14 calendar days of receipt and the monthly and quarterly Security Profile Reports within\n    28 calendar days of receipt. The IORS system determines whether business unit managers are\n    responding timely to the Security Reports and sends email notifications to managers who have\n    not responded within the specified period.\n    For September 2005, only 42 percent of IRS business unit managers certified their IDRS\n    Security Reports. ~ndividualcampus certification rates for September 2005 ranged from a high\n    of 75 percent to a low of 15 percent. Only 36 percent of these certifications were performed\n    timely. Figure 1 presents the compliance levels for each of the 10 IRS campuses. The results for\n    each campus include the certification and timeliness rates for all IRS offices supported by the\n    data security staffs in the campuses.\n                         Figure I : National IORS System Compliance Levels\n\n\n\n\n                                 MA&SS organization\'s analyses.6\n\n\n\n    6\n     The national IORS system compliance levels were computed manually by the MA&SS organization. Additionally,\n    IDRS Security Reports issued to managers for certification with no violations reported were not used in the analysis.\n                                                                                                                Page 4\n\x0c                           Increased Managerial Attention Is Needed to Ensure\nI\n,                              Taxpayer Accounts Are Monitored to Detect\n                                    Unauthorized Employee Accesses\n\n\n\n    The certification rates and timeliness rates were consistently low for the four IDRS Security\n    Reports that business unit managers are required to review. Figure 2 reflects the September 2005\n    compliance levels for the four Reports.\n                     Figure 2: IORS System Compliance Levels by Report\n\n\n\n\n                         Source: September 2005 compliance levels based on the\n                         MA&SS organization S analyses.\n\n    Two of the Reports (the monthly and quarterly IDRS Security Profile Reports) provide the same\n    information but cover different time periods. Reviews of the quarterly Security Profile Reports\n    were the lowest among all four IDRS Security Reports. IRS business unit managers advised us\n    that either the certification of the monthly or the quarterly Security Profile Report could be\n    eliminated, or the Report results could be provided for informational purposes only.\n    The MA&SS organization and IRS business units have not sufficiently emphasized the need for\n    business unit managers to review IDRS Security Reports and have not held their managers\n    accountable for reviewing these Reports on a regular basis. Due to the low certification rates\n    nationally, we have little confidence that IRS managers are detecting all potential unauthorized\n    accesses of taxpayer information. Additionally, without these reviews, the IRS cannot ensure\n    employees are complying with the security controls established to protect the IDRS.\n    We noted a wide disparity in the amount of emphasis provided by the data security staffs in the\n    campuses. Specifically, we found the compliance levels for the Brookhaven and Austin\n    Campuses were directly affected by the amount of emphasis provided by the local data security\n    staffs. The data security staff in the Brookhaven Campus effectively communicated with\n    employees at the Campus and in the Area Offices and notified senior business unit managers\n    when subordinate managers did not review IDRS Security Reports timely. This information was\n    shared with the manager responsible for certifying the Reports.\n    The Brookhaven Campus data security staff also supported IORS system users through the use of\n    several IORS system instructional materials, training lessons, and newsletters. Instructional aids\n    were prepared to assist business unit managers in the review and certification of IDRS Security\n    Reports. Limited IORS system training was developed locally and provided to employees on an\n\n                                                                                               Page 5\n\x0c                        Increased ManagennaIAttention Is Needed to Ensure\n                            TaxpayerAccounts Are Monitored to Detect\n                                Unauthorized EmpIoyee Accesses\n\n\n\nas-requested basis. In addition, quarterly newsletters were issued to inform business unit\nmanagers of important IORS system features and problems that hinder the review of IDRS\nSecurity Reports. As a result, most Brookhaven Campus business unit managers regularly\nreviewed IDRS Security Reports.\nConversely, the Austin Campus was not providing adequate emphasis over the IORS system 3(d)\nprogram to ensure employees were reviewing IDRS Security Reports.              hab business\n                                                                                      unit - ------.\nmanagers we interviewed in the Houston Area Office had not reviewed any of the required\n579 IDRS Security Reports in Fiscal Year 2005. The business unit managers indicated a\nsignificant lack of emphasis and support on how to initially access the IORS system by the\nAustin Campus data security staff.\nAdditionally, 104 (28 percent) of the 370 business unit managers at the Austin Campus had\nnever logged into the IORS system, although training was provided in 2003. Because these\nbusiness unit managers failed to log in, IORS system user accounts were not established.\nAs a result, business unit managers were not receiving IDRS Security Reports showing potential\ninappropriate transactions and noncompliance with security controls for over 1,400 Austin\nCampus employees. Because these IRS managers did not initially log into the IORS system,\nIDRS Security Reports were not provided for these managers and could not be reviewed to\ndetect inappropriate activity. Figure 3 provides a breakout by function of the business unit\nmanagers assigned to the Austin Campus who have never logged into the IORS system.\nFigure 3: IRS Functional Managers Not Using the IORS System Austin Campus          -\n\n\n\n\n               Source: The M d S S organization \'s analyses, September 2005.\n\n\n\n\n                                                                                              Page 6\n\x0c                       lncreased Managerial Attention Is Needed to Ensure\n                           Taxpayer Accounts Are Monitored to Detect\n                               Unauthorized Employee Accesses\n\n\n\nMost data securitv staffs certifv thev reviewed IDRS Securitv Regorts\nOn a daily basis, data security staffs located in each IRS campus are required to certify they have\nreviewed the four IDRS Security Reports generated daily. Specifically, the Sensitive Access\nReport identifies IDRS users with attempted and actual accesses to another employee\'s or an\nemployee\'s spouse\'s tax accounts. The three other Reports are designed to ensure the accuracy\nof the IORS system and monitor overall usage by command codes.\nFor Fiscal Year 2005, data security staffs in each of the 10 IRS campuses certified 94 percent of\nthe IDRS Security Reports. Eighty-seven percent of these Reports were timely certified (within\n7 calendar days of the managers\' receipt of the Report). The Sensitive Access Report\ncertification rates ranged nationally from a high of 100 percent at the Andover, Atlanta, and\nKansas City Campuses to a low of 5 1 percent at the Memphis Campus. Figure 4 presents the\nFiscal Year 2005 Sensitive Access Reports compliance levels for each of the 10 IRS campus data\nsecurity staffs.\n          Figure 4: National Sensitive Access Reports Compliance Levels\n                                                    -\n                     for Fiscal Year 2005 Data Security Staffs\n\n                       1   IRS Campus\n                                --\n                       I 1 Andover\n                                        1\n                                        ,\n                                        ?\n                                         -\n                                            Certification Rate\n                                         -- - .\n                                                  100%\n                                                                 /r Timeliness\n                                                                 ,----\n                                                                 I\n\n                                                                 I\n                                                                         9990\n                                                                                 ate\n                                                                            , ; - --\n                                                                                       I\n\n\n\nThe Memphis Campus certified only 24 (51 percent) of the 47 Sensitive Access Reports in\nFiscal Year 2005, and only 42 percent of the reports were timely reviewed. These Reports are\ncrucial for identifying users who attempted to access tax records of another employee or an\nemployee\'s spouse\'s account. These accesses are prohibited under the Taxpayer Browsing\nProtection Act of 1997 and could indicate employees who are attempting to improperly alter\n\n                                                                                            Page 7\n\x0c                            Increased Managerial Attention Is Needed to Ensure\n                                TaxpayerAccounts Are Monitored to Detect\n                                    Unauthorired Employee Accesses\n\n\n\ntheir own or their spouses\' tax accounts. Although the IDRS should block such accesses, the\ndata security staffs are required to report the employees to the IRS Labor Relations Office7for\ncontrol and assignment to the employees\' managers for an official response. In some instances,\nif the access was inappropriate, the case should be referred to the TIGTA Office of\nInvestigations. We attribute the noncompliance at the Memphis Campus to a lack of local\nemphasis and oversight by the MA&SS organization.\n\nRecommendations\nRecommendation I: The Chief, MA&SS, should coordinate with the business units and\nplace emphasis on the review of electronic IDRS Security Reports using the IORS system.\nPeriodic compliance reviews should be conducted to ensure the business units carry out their\nroles and responsibilities to review IDRS Security Reports.\n         Management\'s Response: The IRS agreed with this recommendation. The MA&SS\n         organization will implement a semiannual monitoring and reporting process that will\n         determine compliance of the IRS business units with requirements to review and certify\n         IDRS Security Reports. IRS business units will be advised of their compliance.\nRecommendation 2: The Chief, MA&SS, should eliminate the requirement to certify the\nmonthly Security Profile Report to reduce managerial burden because the data are captured in the\nquarterly Security Profile Reports.\n         Manacrement\'s Response: The IRS disagreed with this recommendation, stating that\n         deferring the review of the Security Profile Report to only quarterly periods could result\n         in various deficiencies going undetected for extended periods.\n         Office of Audit Comment: In our discussion draft report, we initially recommended\n         the IRS eliminate the quarterly Security Profile Report because the IRS already had a\n         requirement to certify the monthly versions of this Report. During the closing conference\n         on the discussion draft report, MA&SS organization representatives requested that we\n         instead recommend eliminating the monthly Security Profile Report, to reduce the burden\n         to IRS managers. We concurred with the request and revised our recommendation\n         accordingly. Management\'s disagreement with this recommendation is contradictory to\n         what was discussed at our closing conference. We continue to believe the IRS should\n         take whatever actions are needed to ensure the security and privacy of taxpayer data on\n         the IDRS.\n\n\n\n\n7\n  This is the IRS office that reviews proposed employee disciplinary actions and ensures actions are consistent and\nin conformance with laws, rules, regulations, and prior judicial and appeal decisions.\n                                                                                                             Page 8\n\x0c                       Increased Managerial Attention /s Needed to Ensure\n                           Taxpayer Accounts Are Monitored to Detect\n                               Unauthorized Employee Accesses\n\n\n\nRecommendation 3: The Deputy Commissioner for Operations Support and the Deputy\nCommissioner for Services and Enforcement should ensure all business unit managers\'\noperational review requirements are updated to include a step to validate that all\nIORS system-related reports are certified timely (by the manager or designee) and to hold the\nbusiness unit managers accountable for meeting their security-related responsibilities.\n       Management\'s Response: The IRS agreed with this recommendation. A\n       memorandum will be issued by the Deputy commissioner for Operations Support and the\n       Deputy Commissioner for Services and Enforcement to all IRS Commissioners and\n       Chiefs requiring all business units\' operational reviews to include MA&SS organization\n       quarterly IORS security compliance reports and to identify and enforce consequences for\n       noncompliance.\n\nSystemic Problems Are Hindering Management Reviews for\nUnauthorized Accesses to Taxpayer Accounts\nIn addition to a lack of emphasis, we attribute some of the noncompliance by business unit\nmanagers to systemic problems. These problems involve significant system access and software\nissues, which have hindered managers\' ability to review IDRS Security Reports timely using the\nIORS system. The IORS system should effectively\nfacilitate the distribution, review, and accurate\nvalidation of IDRS reports, and, when necessary,\nresponsive action to the contents of these reports.\nThe IRS paid a contractor $2.4 million over 3 years to\ndevelop the IORS system. The IRS took delivery of\nthe IORS system incrementally starting in 2002 and\nduring 2003 relied on it to assist with the identification of unauthorized accesses and\nnoncompliance with security controls. Although the IORS system is operational, the following\nsystemic issues and problems are hindering business unit managers fiom adequately reviewing\nand timely identifying potential unauthorized accesses to employees\' and their spouses\' accounts\nand noncompliance with security controls on the DRS.\n\nSvstem access issues\nSlow response times have hindered business unit managers\' reviews of IDRS Security\nReports. Several business unit managers we interviewed stated they had experienced significant\namounts of system downtime and slow IORS system performance. Business unit managers also\ndiscussed the difficulty reviewing IDRS Security Reports on Mondays due to the large number\nof users attempting to log into the IORS system. The IORS system application was moved to a\nsingle server in August 2005 and users saw some improvement. An even more dramatic\nimprovement in performance was achieved when the MA&SS organization implemented\n\n                                                                                         Page 9\n\x0c                       Increased Managerial Attention Is Needed to Ensure\n                           TaxpayerAccounts Are Monitored to Detect\n                               Unauthorized Employee Accesses\n\n\n\nautomated maintenance routines in October 2005. The MA&SS organization stated that, in the\nfuture, it will be providing its employees with database and web-server administration training\nregarding procedures to optimize performance of the IORS system servers.\nCertain IORS system users are unable to retrieve IDRS Security Reports. When they\nattempt to retrieve the IDRS Security Reports, the IORS system logs them out and then displays\nthe IORS system login page. The problem occurs if the users connect to the IORS system web\nsite using a "shortcut" or "favorites" link they created while logged into the IORS system. Users\nare instructed to go to the IORS system web site and log in when they experience this situation.\nSome business unit managers are unable to access the monthly and quarterly IDRS\nSecurity Profile Reports. On occasion, users receive an error message when they attempt to\nretrieve these Reports. As an alternative, the MA&SS organization developed a program to run\nevery 3 minutes to recompile the IORS system database table that supports these Reports.\nThe IORS system issues "certification due" notices even when managers have no IDRS\nSecurity Reports to review. The MA&SS organization suggested that users certify the blank\nReports to prevent an erroneous reminder notice. The Reports could be suppressed to minimize\nmanagement burden.\n\nSoftware problems\nA software problem in the IORS system application causes IDRS Security Reports to\ndisplay only the certifications that were input by the current manager. The certification\ninformation will not appear if a Security Report was certified by someone else.\nThe IORS system feature to track certification and timeliness rates provides inaccurate\nresults when managers designate another manager to certify an IDRS Security Report.\nBusiness unit managers in the Brookhaven Campus instead keep track manually using a locally\ndeveloped checklist of Security Reports they have certified.\nA software problem allows IORS system user profiles and permissions to be transferred to\nother business unit managers. Business unit managers are then able to view and certify other\nbusiness unit managers\' and employees\' security reports.\n\nMananement oversiqht issues\nBusiness unit managers have the ability to review and certify their own security violations\nwithout requiring a higher level of approval. Business unit managers\' violations are displayed\non the same IDRS Security Report as those of their employees. According to the Brookhaven\nCampus data security staff, the issue was discussed with the MA&SS organization and an\noversight feature was developed in the IORS system to address the problem. The feature allows\nprogram managers to log into the IORS system to review violations committed by their business\nunit managers. However, the use of this feature is voluntary, and only one program manager at\nthe Brookhaven Campus was using it. When business unit managers are allowed to approve\n                                                                                         Page 10\n\x0c                            Increased Managerial Attention Is Needed to Ensure\ni\n                                Taxpayer Accounts Are Monitored to Detect\n                                    Unauthorized Employee Accesses\n\n\n\n    their own violations, the IRS is offering managers unlimited access to taxpayer account data and\n    allowing unauthorized accesses to go undetected.\n    Most business unit managers are not using the IORS system proxy feature. The\n    Brookhaven Campus data security staff discouraged its use because of system problems. The\n    proxy feature should be used to assign another user to review reports when business unit\n    managers are not available. Our interviews of 50 managers indicated users are not filly aware of\n    the importance of this feature. For example, 1 managerp(d)                               1 and did not\n    assign a proxy to review the security reports f o r ~ e m p l o y e e during\n                                                                          s      the absence.\n    During our review, the MA&SS organization began development of a web site to track the\n    ongoing systemic issues with the IORS system. Business unit managers will be able to access\n    the web site to obtain current information on problems with the application and on alternatives to\n    use until the deficiencies are fixed. This web site became operational in April 2006.\n    The IRS was aware the IORS system did not completely meet its requirements when it took\n    incremental delivery in 2002. ~dditionalenhancements to address deficiencies were to be\n    included in the next version of the IORS system, originally scheduled for deployment in\n    December 2005. However, the MA&SS organization determined the contractor was unable to\n    develop the new version of the IORS system according to the IRS\' needs. The contract, which\n    expired in September 2005, was not renewed, and deployment of the new version has been\n    delayed.\n\n    Recommendation\n    Recommendation 4: The Chief, MA&SS, should place priority on hiring a new contractor to\n    complete development of the next version of the IORS system. The systemic weaknesses with\n    the IORS system should be prioritized and addressed within a reasonable time period.\n           Management\'s Res~onse:The IRS agreed with this recommendation. The MA&SS\n           organization is coordinating with the Chief Information Officer to transfer the\n           responsibility of obtaining the technical contract for the IORS system. The MA&SS\n           organization IDRS Security Program Office will prioritize the systemic weaknesses of\n           the IORS system and monitor the process for timely implementation of systemic changes.\n\n\n\n\n                                                                                                 Page 11\n\x0c                            Increased Managerial Attention Is Needed to Ensure\n                                TaxpayerAccounts Are Monitored to Detect\n                                    Unauthorized Employee Accesses\n\n\n\n                                                                                                     Appendix I\n\n          Detaifed Objective, Scope, and Methodofogy\n\nThe overall objective of this review was to determine whether IRS management and security\nstaffs were adequately reviewing online IDRS\' reports to detect unauthorized accesses to\ntaxpayer accounts. To accomplish our objective, we:\nI.       Determined whether managers of IDRS users, designated p r ~ x i e sand, ~ unit security\n         representatives3were carrying out their responsibilities for identifying potential\n         unauthorized access violations by evaluating national IORS system4reports for all 10 IRS\n         campu~es.~\n         A. Evaluated the guidance, oversight, and training provided by the MA&SS organization\n            to the field offices responsible for conducting security reviews to ensure adherence to\n            applicable guidelines and criteria.\n         B. Deteimined whether sufficient training on the IORS system had been timely provided\n            to managers, designated proxies, and data security staffs.\n         C. Determine whether data security staffs and business unit managers were complying\n            with the requirements to review IDRS Security Reports to detect unauthorized\n            accesses to taxpayer accounts. We reviewed national statistics for all\n            10 IRS campuses and visited the Brookhaven, New York, and Austin, Texas,\n            Campuses. We also visited the Boston, Massachusetts, and Houston, Texas, Area\n            Offices6 and reviewed the IORS reports for Fiscal Year 2005 for 50 managers we\n\n\n\nI\n  The IDRS is the IRS computer system capable of retrieving or updating stored information; it works in conjunction\nwith a taxpayer\'s account records.\n  The designated proxies review the security reports when the business unit managers are not available.\n  Unit security representatives are individuals assigned by their business organizations to help ensure IDRS security\nadministration activities are properly performed for their IDRS users.\n4\n  The IORS system is a web-based application that provides business unit managers and data security staffs online\naccess to IDRS Security Reports based on the IDRS audit trail information. An audit trail is a chronological record\nof system activities that allows for the reconstruction, review, and examination of a transaction from inception to\nfinal results.\n5\n  Campuses are the data processing arm of the IRS. The campuses process paper and electronic submissions, correct\nerrors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts. IRS Computing\nCenters support tax processing and information management through a data processing and telecommunications\ninfrastructure.\n6\n  Area Offices are located throughout the United States; they serve as the coordination point for and assist the public\nwith tax issues.\n                                                                                                             Page 12\n\x0c                           Increased Manageria/ Attention /s Needed to Ensure\n                               TaxpayerAccounts Are Monitored to Detect\n                                   Unauthorried Employee Accesses\n       --\n\n\n               judgmentally ~elected.~   We could not identify the population of managers due to\n               systemic errors with the IORS system. The Area Offices were selected based on the\n               Brookhaven and Austin Campuses, which had the highest and lowest IDRS Security\n               Report certification rates, respectively.\n            D. Contacted the Treasury Inspector General for Tax Administration Office of\n               Investigations local offices before our visits to determine whether they had any\n               ongoing investigations in the sampled offices.\n11.         Determined whether the IORS system web-based application was operating effectively\n            and met the needs of its users.\n            A. Interviewed the program analyst and developers in the MA&SS organization to\n               determine whether the IORS system application was working as intended.\n            B. Determined the future plans for or enhancements to be made to the IORS system.\n            C. Evaluated the weekly, monthly, and quarterly IDRS Security Reports to determine\n               whether the information was presented in a clear and understandable format.\n            D. Visited the Campuses and Area Offices with the highest and lowest IORS report\n               certifications rates. The sites included the Brookhaven and Austin Campuses and the\n               Boston and Houston Area Offices.\n            E. Selected a judgmental sample of 50 business unit managers at the 4 locations visited.\n               We could not identify the population of managers due to systemic errors with the\n               IORS system. We interviewed the managers and the data security staffs at the\n               Brookhaven and Austin Campuses to determine whether the IORS system operated\n               effectively and met the needs of its users.\n\n\n\n\n\'We used judgmental sampling for Steps LC.and 1I.E. due to time constraints and availability of managers during\nour site visits.\n                                                                                                       Page 13\n\x0c                      Increased Managerial Attention Is Needed to Ensure\n                          TaxpayerAccounts Are Monitored to Detect\n                              Unauthorized Employee Accesses\n\n\n\n                                                                              Appendix II\n\n                 MaNr Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nKent Sagara, Acting Director\nThomas Polsfoot, Audit Manager\nMichelle Griffin, Senior Auditor\nAbraham Millado, Senior Auditor\nJacqueline Nguyen, Senior Auditor\nWilliam Simmons, Senior Auditor\n\n\n\n\n                                                                                    Page 14\n\x0c                         Increased Manageria/ Attention Is Needed to Ensure\n:                            TaxpayerAccounts Are Monitored to Detect\n                                 Unauthorized Employee Accesses\n\n\n\n                                                                     Appendix Ill\n\n                             Report Distribution List\n\n    Commissioner C\n    Office of the Commissioner - Attn: Chief of Staff C\n    Chief Information Officer 0S:CIO\n    Chief, Mission Assurance and Security Services 0S:MA\n    Chief Counsel CC\n    National Taxpayer Advocate TA\n    Director, Office of Legislative Affairs CL:LA\n    Director, Office of Program Evaluation and Risk Analysis RAS:O\n    Ofice of Management Controls 0S:CFO:AR:M\n    Audit Liaisons:\n           Deputy Commissioner for Operations Support OS\n           Deputy Commissioner for Services and Enforcement SE\n           Chief Information Officer 0S:CIO\n           Chief, Mission Assurance and Security Services 0S:MA\n\n\n\n\n                                                                              Page 15\n\x0c                             Increased Managerial Attention Is Needed to Ensure\nI\nI\n                                 Taxpayer Accounts Are Monitored to Detect\n                                     Unauthorized Employee Accesses\n--\n -  -                                              -\n                                                                                                          Appendix IV\n\n        Management\'s Response to the Draft Report\n\n                                                DEPARTMENT OF THE TRLABURY                        RECEIVED\n                                                   I N T E R N A L RLVLNUE S L R V l C L\n                                                       W A S H I N 0 7 0 N . D.C. I D a Z 4       JuL 0 6 2006\n                  cnlw\n          YIO\xc2\xb6IO" A I W R . K P\n\n                                                              JUL 0 6 2008\n\n\n\n\n                      FROM:\n\n\n                      SUBJECT:                Response to Draft Audit -port - Increased Managerial Aitention\n                                              Is Needad to Ensure Taxpayer Accounts Are Monitored to Detect\n                                              Unauthorkd Emplbyee Acceas (Audlt C 200520034)\n\n\n                      Thank you for the opportuntty to w i e w the draft audlt report on IRS\' Integrated Data\n                      Reineval System Online Reports Services OORS), a web-based applicationthat\n                      pmvides Integrated Data Retrieval System (IDRS) ~ecurityreporb to UnR Security\n                      Representativesand managers. The IDRS k a main -6               used by IRS employees to\n                      research and update taxpayer data. We appraclats that your report c m d k the IRS for\n                      deploying IORS to r e d m the costs of printing and distributing paper m p k of\n                      camputerqnerated IDRS audit trail mipart information.\n\n                      The report has four mmmmendetions. We concur on three of the =port\n                      recmrnendatlonsand nanconcur on the remalnlng ane mcornmcmdation Attached is\n                      a detailed response outlining our corrective action plans to the recommendations.\n                      Speclflcally, for recommendation #1, you addressed IRS emphasizing the review of\n                      IORS reports. Actions wlll be taken to Implement a process to montor revfew\n                      compliance by Business Units. In recommendation K!, you propose ellrninat~ngthe\n                      certifmtlon of the monthly Security Profile Report. We do not concur, like IRS is\n                      concerned that deferring the review of Security Profib Report to only quarterly periods\n                      could result In a potential securtty deficiency belng u n d e k b d for an extended period of\n                      Bme. Recommendation #3 addresses h e l y cerfificatlon of the reviews of IORS reports\n                      and management accountability. Actlons will be taken roqulring the timely rarlew6 and\n                      addressing noncompliance, the final recommendatlanaddresses contradual support\n                      d IORS. This is a priorlty of the Servlce to ensure system vmknesses are corrected.\n                     We appredate your continued support and valuable owtslght orra\'ktancs. If you have\n                     any questions, please contad me at (202) 822-8010, or Devon Bryan. Dlmclw.\n                     InformatlonTechnology Security at (202) 2887271.\n\n                     Attachment\n\n\n\n\n                                                                                                                      Page 16\n\x0cIncreased Manageria/ Attention /s Needed to Ensure\n    Taxpayer Accounts Are Monitored to Detect\n        Unauthonked Employee Accesses\n\n\n\n                                                  -\nManagement response to Draft Audlt Report Increased ManagerlalAttention\nIs Needed to Ensure Taxpayer Accounts Ase Monitored to Detect Unauthorized\nEmployee Accesses (Audlt #200520034)\n\n\n\nRECOMMENDATION1W:\nThe Chief, Mlsion Assurance and Securlty S e w h s , should coordinate with the\nbusiness unlts and place emphasis on the review of electronic lDRS Semrlty\nReports using the IORS system. Perkdk compliance revlews should be\nconducted to ensure the business unlfs cany out their rdes and responsibiI\'i\nto review IDRS Security Reports.\n\n\nCORRECTWE ACTION TO RECOMMENDATDN#l:\nMlsslon Assurance and Security Setvices cancurs with the recommendationand\nwill implement a semiannual monitoring and reporting precess that wilt determine\ncomplianceof the business units in reviewing and certifying Integrated Data\nRetrieval System (IDRS)Security reports. Business units will be advised of their\ncompliance.\n\n\n\nIMPLEMENTATION DATE:\nDecember 15.2006 (Fircrt c o m p I \' i check Is for the third and forth quarters d\nM 2006)\n\n\nRESPONSIBLE OFFICIAL:\nDirector. InformationTechnology Securtty 0S:MA:IT\n\n\nCORRECTIVE ACTION MONrrORlNO PLAN:\nThe IDRS Security Pmgmm Omce will report monthly to the Director, IT Security,\non the prpgress of developing the applicationsand proceduresto implement a\nmonitoringand reparting pmcess. Also, once Implemented. all business units\nthat do not achieve at least a 90 percent certification rate will be required to\nprwide a jutiication for the report not belng reviewad.\n\n\n\n\n                                                                                     Page 17\n\x0c             lncreased Managerial Attention /s Needed to Ensure\n1\nI                Taxpayer Accounts Are Monitored to Detect\n                     Unauthorized Employee Accesses\n\n\n\n                                                     -\n    Management response to Draft AudH Report Increased ManagerialAtbention\n    lo Needed to Ensure Taxpayer Accounts Am Moniio~mdto Detect Unauthorized\n    Employee Accesses (Audit #200520034)\n\n\n\n    RECOMMENDATDN #2:\n    The Chief, Mbslon Assurance and Security Services, should eliminate the\n    requirement to certrfythe monthly Security Profile Report to reduce managerial\n    burden because the data is captured in the quarterly Security Profile Reports.\n\n\n    CORRECTIVEACTlON TO RECOMMENDATION #2:\n    Mission Assurance and Securtty Services does not concur wtth this\n    recommendation. The Integrated Data Retrieval Systam (IDRS) Security Profile\n    reports sumrnarlze user activities and capabliltles on IDRS on both a monthly\n    and quarterly bas~s Deferringthe review of this report to only quartedy periods\n    couid result In varlous               being uncbtectedfor extended psrbds of\n    Ume. Such deficiencies would Include idenwng IDRS usen who are ~nthe\n    wrong units, who need a restriction applled to their profile in accordance with IRS\n    policies, or who no longer need access to IDRS. By requtring the review and\n    certification of the quarterly repon, managers can better determinewhether users\n    have command codes end accesses to other IDRS functlonaltty that are no\n    longer needed.\n\n\n    IMPLEMENTATION DATE:\n    Not Applicable\n\n\n\n    RESPONSIBLEOFFICIAL:\n    Not Applfcable\n\n\n\n    CORRECTIVE ACTION MONITORING PLAN:\n    Not Applicable\n\n\n\n\n                                                                                          Page 18\n\x0c               TaxpayerAccounts Are Monitored to Detect\n                   Unauthorized Employee Accesses\n\n\n\n\n                                               -\nManagement r~aponseto Draft Audlt Report Increased Managerial Attention\nIs Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized\nEmployeeAccesses (Audtt lP200520034)\n\n\n\nRECOMMENDATION\'#3:\nThe Deputy Cornmissloner for Operations Support and the Deputy Commissioner\nfor Services and Enforcement should ensure all buslness unit managen\'\noperational review requirementsare updated to indude a step to validate that all\nIORS system-related reports are certified tlmely (by the manager or designee)\nand to hdd the business untt managers aarxrntable for meeting their security-\nrelated responslbllltiea\n\n\nCORRECTIVE ACTION TO RECOMMENDATlON#3:\nThe IRS concurs with the reamunendatlon. A memo signed jointly by the Deputy\nCanmisslonerfor Opwatkns Suppart end the Deputy Cammissiiner for\nServices and Enforcement will be k u d to IRS Cornmisshers and Chiefs:\n   (I) Requlrlngall Business Units\' operational reviews to include Mlssbn\n       Assurance and Security Services IORS quarterty Integrated Data Retrieval\n       System (IDRS) security compliance reports.\n   (2) Identifying and enfwclng consequencesfor noncompliance In reviewing\n       and certifying the IDRS security wmplience reporls maintained in IORS.\n\n\nIMPLEMENTATIOND A E :\nDecember 15,2008\n\n\n\nRESPONSIBLE OFFICIAL:\nDeputy Chief, MlsslonAssurance S Security Servlces 0S:MA\n\n\nCORRECTIVE ACTION MONITORING PLAN:\nMission Assurance and Security Services wlll be tracking the development d the\nmemo untll distrlbutlon.\n\n\n\n\n                                                                                   Page 19\n\x0c             Increased Managerial Attention Is Needed to Ensure\nI\nI                TaxpayerAccounts Are Monitored to Detect\n                     Unauthorked Employee Accesses\n\n\n\n    Mamgemmnt roeponse to Draft Audit Reporl- I n m a d ManagerialAttention\n    Is Needed to Ensure Taxpayer Accounts Are Monitaredto Detect Unauthorized\n    Employe Accesses (Audit #200520034)\n\n\n\n    RECOMMENDATIONW:\n    The Chief, Mlsslon Atwurance and Sewltty Sghrioes, should place priority on\n    hiring a new contractor to complete development d the next version of the lORS\n    system. The systemic wealalessas with the IORS system should be prlorttlzd\n    and addressed withln a reasonable time period.\n\n\n    CORRECTIVE ACTION TO RECOMMENDATKIN#4:\n    Mission Assurance and Seczlrii Selvlcas (MABSS) concurs with this\n    recommendation. W S S has placed a priority on obtaining technical support\n    MA&SS is coordlnatlng and working with the Chief Information M A d s\n    organ\'aation to transfer the msponslbfllty of obtaining the technical m n t w t for\n    the IORS system. The CIO organization will use existing wntmcUng vehlcles to\n    fulfill the needed contractual support. Also. MA8rSS\' IDRS Security Program\n    O f f i c e wlll prioritize the systemic weaknesses of IORS and m o n k the process\n    for timely lrnplernentstlonof system changes.\n\n\n    IMPLEMENTATION DATE:\n    November 1 5 , 2 0 6\n\n\n    RESPONSIBLE OFFICIAL:\n    Director, llfformationTechnology Securtty 0S:MA:IT\n\n\n    CORRECTIVE AGIION MONITORING PLAN:\n    The Diredor h r We IT Securlty Office will periodically monitor the progress in\n    obtalning kuntrachral support and correcting IORS programming deficiencies.\n\n\n\n\n                                                                                          Page 20\n\x0c'